Research On Abnormal Traffic Detection Technology For Software Defined Network

Software Defined Network(SDN),a new network architecture supporting numerical control separation and programming,could realize the direct implementation of network strategies and simplify network management.Despite such advantages,it is also vulnerable to network attacks.Traffic anomaly detection technology could detect and deal with network anomalies and malicious attacks,and thereby ensure network security.This paper,focusing on the distributed SDN controller architecture and traffic anomaly detection algorithms,has made the following achievements:Unbalanced controller load is a common problem faced by distributed SDN controller architecture.However,existing studies only focus on adjusting controller load after overload occurs.With the purpose of maintaining the load balance between controllers,this paper improved the threshold-based load balancing mechanism by using trigger factors to replace controller load status information that is updated regularly,which has reduced unnecessary communication overhead.According to the results of the experiment,compared with the load balancing strategy based on a single threshold,the average response time of the scheme proposed in this paper has been reduced by 47.6%,with the throughput rate up by 65.7%.Besides,it also showed robust performance in such aspects as communication overhead and packet delay.Feature extraction is a crucial step in training the traffic anomaly detection model.In this study,the robust RF algorithm was introduced into the CNN model to realize automatic feature extraction and classification of network traffic and the SRS activation function was used in the model to accelerate the convergence rate.Besides,the model proposed was trained and tested on the latest SDN dataset.According to the experimental results,compared with the single RF and CNN models,the CNN-RF model proposed in this paper has shown great improvement,with the average accuracy rate of dichotomous experiment and multi-classification experiment increased to 98.17%and 96.95%respectively.The average testing time on the CICNIDS2017 dataset is 1.278s,up by 61.4%from that of a single CNN model.At the end of the study,the paper realized an SDN-targeted traffic anomaly detection model.The model could create a remote packet capturing service via sFlow,and then extract traffic records from the network in real time with CICFlowMeter.Compared with the port mirroring method,the load generated by this model is lighter and can be scaled to multiple switchboards.According to the results of simulation experiments,the model could detect abnormal traffic in the network in real time and block the host from initiating the attack,which could effectively safeguard network security.